b"                                                   Memorandum\n           U.S. Department of\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Quality Control Review of the Report              Date:    September 2, 2005\n           on Controls over the Delphi Financial\n           Management System, DOT\n           QC-2005-075\n  From:    Theodore P. Alves                                      Reply to\n                                                                  Attn. of:   JA-20\n           Principal Assistant Inspector General\n            for Auditing and Evaluation\n    To:    Phyllis F. Scheinberg\n           Assistant Secretary for Budget and Programs and Chief Financial Officer\n\n           This report summarizes the results of the review of system security controls over\n           the Department of Transportation (DOT) Enterprise Service Center\xe2\x80\x99s (service\n           center) Delphi Financial Management System. The Delphi Financial Management\n           System performs accounting and financial management functions for DOT and\n           other Federal agencies. It is maintained by Federal Aviation Administration\n           employees at the Mike Monroney Aeronautical Center in Oklahoma City,\n           Oklahoma, under the direction of the departmental Chief Financial Officer.\n\n           The service center is one of four Centers of Excellence designated by the Office of\n           Management and Budget (OMB) to provide financial management information\n           system services to other Federal agencies. To date, the service center supports one\n           other Federal agency, the National Endowment for the Arts. OMB requires\n           Centers of Excellence to provide Federal agencies with an independent audit\n           report in accordance with the American Institute of Certified Public Accountants\n           (AICPA) standards.\n\n           Clifton Gunderson, LLP, an independent auditor, of Calverton, Maryland,\n           completed the review. The Office of Inspector General (OIG) performed a quality\n           control review of Gunderson\xe2\x80\x99s audit work to ensure that it complied with\n           applicable auditing standards Generally Accepted Government Auditing Standards\n           and the AICPA\xe2\x80\x99s Statement on Auditing Standards (SAS) 70. In our opinion,\n           Gunderson\xe2\x80\x99s audit work complied with applicable standards.\n\x0cThe Gunderson audit report concluded that management\xe2\x80\x99s description of controls\nfor the Delphi Financial Management System presents fairly, in all material\nrespects, the controls that had been placed in operation as of May 31, 2005. In\naddition, Gunderson concluded that controls, as described, are suitably designed to\nprovide reasonable assurance that 8 of the 10 specified control objectives would be\nachieved, if these controls were complied satisfactorily. Gunderson\xe2\x80\x99s testing\nfound that controls were operating effectively to provide reasonable assurance that\n7 of the 10 control objectives were achieved during the period from October 1,\n2004 to May 31, 2005.\n\nWe agree with Gunderson that strengthening the design and operational\neffectiveness in these control objective areas will further enhance Delphi Financial\nManagement System operations. However, the service center and DOT\nHeadquarters management deserve credit for making a concerted effort to enhance\nsecurity and controls over Delphi system operations, as recommended in OIG\xe2\x80\x99s\nSeptember 2003 report. 1\n\nSpecifically, since September 2003, DOT management implemented more\ndisciplined security administration and oversight of Delphi operations,\nstrengthened controls over access to the General Ledger module to ensure the\nintegrity of financial statement compilation in Delphi, and installed an enclosed\narea in the computer center to better protect Delphi servers. In addition,\nmanagement enhanced controls over changes to Delphi production programs and\ntested the contingency plan to ensure continuity of Delphi operations in case of\nemergency.\n\nGunderson reported that controls were not suitably designed or not operating\neffectively from October 1, 2004 to May 31, 2005 for the following control\nobjectives.\n\n    \xe2\x80\xa2 Security Administration Controls. Gunderson concluded that controls\n      described are suitably designed; however, they were not operating\n      effectively in several areas. Specifically, the service center did not update\n      the security plan to reflect the operating system upgrades in Delphi and\n      enhanced security protection of Delphi servers in the computer center;\n      security accreditation for three interfacing systems had expired and need to\n      be re-certified; the memorandum of understanding was not provided for a\n      National Endowment for the Arts interfacing system, as required; and\n      management did not provide alternative training measures when the\n      security awareness website was not functional.\n    \xe2\x80\xa2 Logical Access Controls. Gunderson concluded that the control used to\n      capture incompatible duties/roles for Delphi processing was not suitably\n\n1\n    Report Number FI-2003-094, \xe2\x80\x9cReport on Computer Security of Delphi Financial Management System,\xe2\x80\x9d\n    September 30, 2003. OIG reports can be found on our website: www.oig.dot.gov.\n\n                                                                                                 2\n\x0c       designed because it is a detective control rather than a preventive control.\n       Gunderson also concluded that described controls were not operating\n       effectively in the areas of separating incompatible duties and restricting\n       access to the operating system software on the Delphi computer server.\n    \xe2\x80\xa2 Physical Access Controls. Gunderson concluded that the control used to\n      grant access to the computer center, which houses Delphi and other\n      computer systems, was not suitably designed because it does not ensure that\n      access is granted in accordance with an individual\xe2\x80\x99s job\n      function/responsibilities. Gunderson also concluded that described controls\n      were not operating effectively because an excessive number of people were\n      granted access to the computer center, and management did not always\n      specify justification for granting individuals\xe2\x80\x99 access to the computer center\n      on the request form.\n\nGunderson made 12 recommendations to improve controls and submitted the\nrecommendations to DOT management under separate cover from its report. 2 We\nagree that implementing these recommendations will further enhance controls over\nDelphi Financial Management System operations and have included these\nrecommendations in this report (see Exhibit A). In an August 25, 2005, response\nto OIG, the DOT Deputy Chief Financial Officer concurred with the\nrecommendations and committed to implementing corrective actions (see\nAppendix I).\n\nIn accordance with DOT Order 8000.1C, the corrective actions taken in response\nto Gunderson\xe2\x80\x99s recommendations are subject to follow-up. Gunderson is\nperforming additional testing and will prepare a follow-up management letter to\nOIG by September 30, 2005, reporting whether the control environment has\nsignificantly changed between June 1 and September 30, 2005. After receiving\nGunderson\xe2\x80\x99s follow-up letter, we will decide whether additional support, including\ntarget completion dates, is needed for the corrective actions.\n\nWe appreciate the courtesies and cooperation of the Enterprise Service Center, the\nOffice of the Secretary of Transportation, and Clifton Gunderson representatives\nduring this audit. If you have any questions concerning this report, please call me\nat (202) 366-1992, or Rebecca Leng, Deputy Assistant Inspector General for\nInformation Technology and Computer Security, at (202) 366-1488.\n\nAttachment\n\ncc: Chief Information Officer, DOT\n    Federal Aviation Administrator\n\n\n\n2\n    The independent auditor\xe2\x80\x99s report will be available upon request.\n\n                                                                                      3\n\x0cEXHIBIT A. CLIFTON GUNDERSON,\nINDEPENDENT AUDITOR, RECOMMENDATIONS\n\nDOT management should implement the following actions to enhance Delphi\nsecurity administration controls.\n\n     1. Ensure all systems that connect to the Delphi are certified and\n        accredited and have established interconnection agreements.\n\n     2. Update the computer center (SMF) Security Plan to reflect changes in\n        the facility.\n\n     3. Implement measures to ensure employee awareness training is always\n        available.\n\nDOT management should implement the following actions to enhance Delphi\nlogical access controls.\n\n     4. Accelerate the implementation of \xe2\x80\x9cSox Out of the Box\xe2\x80\x9d access control\n        software to provide preventive security controls to separate\n        incompatible duties and roles for Delphi processing.\n\n     5. Ensure that representatives from the National Endowment for the Arts\n        sign a liability waiver for noncompliance with ESC\xe2\x80\x99s recommended\n        security parameters on assigning roles and responsibilities to Delphi\n        users.\n\n     6. Restrict access to the audit log repository to only those individuals with\n        security and review responsibilities.\n\n     7. Review who has access to high \xe2\x80\x9croot-level\xe2\x80\x9d access to the Delphi\n        operating system and formally document the authorization for granting\n        access to legitimate users. Provide adequate training on this privileged\n        account before granting access.\n\n     8. Reduce the number of users with \xe2\x80\x9croot-level\xe2\x80\x9d access to the Delphi\n        operating system. Deactivate the \xe2\x80\x9croot-level\xe2\x80\x9d access assigned to one\n        terminated employee.\n\n     9. Review the Delphi operating system settings on a periodic basis and\n        notify the SMF (Information System Security Officer (ISSO) of all\n        discrepancies for immediate action.\n\n\n                                                                                4\n\x0cDOT management should implement the following actions to enhance Delphi\nphysical access controls.\n\n     10. Reduce the number of employees and contractors with access to the\n         SMF computer center and complete the transfer of all Delphi servers\n         into the caged area.\n\n     11. Require division managers with employees and contractors requiring\n         access to the SMF computer center to:\n          \xe2\x80\xa2 Properly document the justification for physical access requests to\n            SMF.\n          \xe2\x80\xa2 Review monthly the list of employees and contractors who have\n            access to the SMF.\n          \xe2\x80\xa2 Perform a quarterly recertification of authorized user access to the\n            facility.\n\n     12. Explore the feasibility of implementing a biometric key card for\n         physical access to the SMF computer center that expires every 90 days\n         and triggers a need for quarterly recertification.\n\n\n\n\n                                                                              5\n\x0c           APPENDIX I. MANAGEMENT COMMENTS\n\n\n\n\n           U.S. Department of\n                                                        Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n\nSubject:   Management Response to the Quality Control Review                 Date:    August 25, 2005\n           of the Enterprise Service Center\xe2\x80\x99s Delphi Financial\n           Management System\n\n\n  From:    Lawrence I. Neff                                               Reply to\n                                                                          Attn. of:   B-2\n           Deputy Chief Financial Officer\n\n    To:    Rebecca C. Leng\n           Deputy Assistant Inspector General for Information Technology\n           and Computer Security\n\n           Thank you for the Enterprise Service Center (ESC) Quality Control Review report of the Delphi\n           Financial Management System. We appreciate all the help the Office of Inspector General\n           (OIG) staff provided in coordinating Clifton-Gunderson's Statement on Auditing Standards\n           (SAS) audit of Delphi.\n\n           We have worked closely with the auditors throughout the SAS-70 review. As issues were raised,\n           immediate actions were taken to mitigate risks and to further strengthen Delphi's security\n           controls. Corrective actions taken to enhance Delphi security controls in response to this SAS-\n           70 review include:\n\n                \xe2\x80\xa2    Interconnection agreements for all Delphi interfaces have been completed.\n                \xe2\x80\xa2    The ESC computer center (SMF) Security Plan has been updated to reflect changes in the\n                     facility, such as the OIG-recommended server isolation cage.\n                \xe2\x80\xa2    Agency-specific Security Awareness training is now available online, with CD-ROM\n                     based training being available for sign-out locally. In addition, in-processing procedures\n                     have been updated to ensure all new employees receive Security Awareness training\n                     within 30 days of starting work.\n                \xe2\x80\xa2    Per the auditor's recommendation, the National Endowment for the Arts (NEA) submitted\n                     and the Delphi System Owner approved a time-limited Incompatible Roles Risk\n                     Acceptance, pending the implementation of the SOX Out of the Box software this Fiscal\n                     Year.\n                \xe2\x80\xa2    Individuals with system Root Access privileges have had their access reviewed and their\n                     authorization formally documented.          System Administrators receive specialized,\n                     supervised training prior to being granted elevated privileges.\n                \xe2\x80\xa2    We are continuing to reduce the number of individuals with access to the SMF computer\n                     center. In addition, all Delphi servers have been relocated to the further restricted locked\n                     caged area.\n\n\n           Appendix 1. Management Comments                                                                     6\n\x0cAPPENDIX I. MANAGEMENT COMMENTS\n\n   \xe2\x80\xa2   The SMF computer center's process for authorizing physical access has been\n       strengthened to ensure proper justifications for access exist and that access lists are\n       recertified quarterly. In the future, as the Department implements the requirements of\n       Homeland Security Presidential Directive 12 (HSPD 12), Policy for a Common\n       Identification Standard (CIS) for Federal Employees and Contractors, more robust\n       physical access measures may be incorporated.\n\nThe following additional corrective actions are currently underway:\n\n   \xe2\x80\xa2   Two remaining Delphi interfacing systems do not have a current certifications &\n       accreditations (C&A). One system, owned by B-30, is scheduled to sunset in the near\n       future; therefore, the Delphi System Owner has accepted the risk of this system not being\n       recertified. The other system's recertification is presently underway, with a scheduled\n       completion date of September 30, 2005.\n\n   \xe2\x80\xa2   The SOX Out of the Box application is on schedule to be implemented in the Delphi\n       Production environment by the end of August. In testing, SOX has been successful at\n       masking SSN numbers and in proactively enforcing the Delphi Incompatibility Matrix at\n       the transaction level.\n\n   \xe2\x80\xa2   Actions to restrict access to the Operating System Audit Log Repository are underway\n       and are on schedule to be completed during August.\n\n   \xe2\x80\xa2   By August 31, System Administrator Root Access on the Delphi production server will\n       be further reduced by two individuals. Written approval from the DOT Deputy Chief\n       Financial Officer (DFCO) will be required if these privileges should ever need to be\n       reinstated. In addition, we are continuing to investigate the use of system utilities that\n       could allow Administrators to maintain the system without using Root privileges.\n\nAttached is a more detailed action plan that outlines specific actions that have been and are being\ntaken to strengthen each security control discussed in the SAS-70 report.\n\nWe look forward to continuing to work with your staff to strengthen the design and\nimplementation of Delphi security controls. As an Office of Management and Budget (OMB)\ndesignated Center of Excellence, we are strongly committed to ensuring the ESC\xe2\x80\x99s Delphi\nFinancial Management System meets or exceeds all security requirements. Thank you for your\ncontinuing support and assistance in this effort.\n\nAttachment\n\ncc:\nDan Matthews, Darren Ash, Joanne Choi, Arvid Knutsen,\nLindy Ritz, Dick Rodine, Joanne Adam, Bob Stevens,\nCheryl Rogers, Keith Burlison, Mike Myers, Laura Ramoly\n\n\n\n\nAppendix I. Management Comments                                                                  7\n\x0c"